The branch, master has been updated
via 9dc165e80fb lib:cmdline: POPT_CALLBACK_REASON_POST should handle if
we skip the password callback
via dd4f4037925 lib:cmdline: Make sure --use-krb5-ccache sets the ccache
via 6085b737ba7 auth:creds: Do a kinit if we have a password and the
ccache is empty
from be192dc2f5b s3-wscript: make sure to build with selftest without
libevent
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9dc165e80fb90774b6999b90483e5fcfb5c2798e
Author: Andreas Schneider <[email protected]>
Date: Fri Apr 11 10:56:43 2025 +0200
lib:cmdline: POPT_CALLBACK_REASON_POST should handle if we skip the
password callback
It is already checking if there is a valid ccache and disabling the
callback.
In case of IAKerb we specify a ccache but might to fill one with a krbtgt.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Tue Apr 15 12:54:57 UTC 2025 on atb-devel-224
commit dd4f403792528d13955228c780fe4891a56e3e60
Author: Andreas Schneider <[email protected]>
Date: Fri Apr 4 10:27:50 2025 +0200
lib:cmdline: Make sure --use-krb5-ccache sets the ccache
Pair-Programmed-With: Alexander Bokovoy <[email protected]>
Signed-off-by: Alexander Bokovoy <[email protected]>
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 6085b737ba702582765840e21cc88d6007dacecf
Author: Andreas Schneider <[email protected]>
Date: Fri Apr 11 13:49:22 2025 +0200
auth:creds: Do a kinit if we have a password and the ccache is empty
This implements the same behaviour for s4 clients as we have with s3
clients.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 30 +++++------
lib/cmdline/cmdline.c | 84 +++++++++++++++++++++---------
testprogs/blackbox/test_client_kerberos.sh | 2 +-
3 files changed, 72 insertions(+), 44 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c
b/auth/credentials/credentials_krb5.c
index ce76b10361d..f905fe736cc 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -669,37 +669,31 @@ _PUBLIC_ int cli_credentials_get_named_ccache(struct
cli_credentials *cred,
if (cred->ccache_obtained >= cred->ccache_threshold &&
cred->ccache_obtained > CRED_UNINITIALISED) {
time_t lifetime;
- bool expired = false;
+ enum credentials_obtained pass_obtained =
+ cli_credentials_get_password_obtained(cred);
+ bool kinit_required = false;
ret =
smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context,
cred->ccache->ccache, &lifetime);
if (ret == KRB5_CC_END || ret == ENOENT) {
- /* If we have a particular ccache set, without
- * an initial ticket, then assume there is a
- * good reason */
+ kinit_required = true;
} else if (ret == 0) {
if (lifetime == 0) {
- DEBUG(3, ("Ticket in credentials cache for %s
expired, will refresh\n",
- cli_credentials_get_principal(cred,
cred)));
- expired = true;
+ kinit_required = true;
} else if (lifetime < 300) {
- DEBUG(3, ("Ticket in credentials cache for %s
will shortly expire (%u secs), will refresh\n",
- cli_credentials_get_principal(cred,
cred), (unsigned int)lifetime));
- expired = true;
+ kinit_required = true;
}
} else {
- (*error_string) = talloc_asprintf(cred, "failed to get
ccache lifetime: %s\n",
-
smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context,
-
ret, cred));
- return ret;
+ kinit_required = true;
}
- DEBUG(5, ("Ticket in credentials cache for %s will expire in %u
secs\n",
- cli_credentials_get_principal(cred, cred), (unsigned
int)lifetime));
-
- if (!expired) {
+ if (!kinit_required) {
*ccc = cred->ccache;
return 0;
}
+ if (pass_obtained < cred->ccache_obtained) {
+ (*error_string) = "The credential cache is invalid";
+ return EINVAL;
+ }
}
if (cli_credentials_is_anonymous(cred)) {
(*error_string) = "Cannot get anonymous kerberos credentials";
diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index 161ba8874bf..e434d65a2ef 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -16,6 +16,7 @@
*/
#include "includes.h"
+#include "auth/credentials/credentials.h"
#include "lib/param/param.h"
#include "dynconfig/dynconfig.h"
#include "auth/gensec/gensec.h"
@@ -930,6 +931,7 @@ static struct poptOption popt_common_connection[] = {
static bool skip_password_callback;
static bool machine_account_pending;
+static char *krb5_ccache = NULL;
static void popt_common_credentials_callback(poptContext popt_ctx,
enum poptCallbackReason reason,
@@ -1004,6 +1006,31 @@ static void popt_common_credentials_callback(poptContext
popt_ctx,
CRED_SPECIFIED);
}
+ /*
+ * If --use-krb5-ccache was passed on the command line we need
+ * to overwrite the values set by cli_credentials_guess().
+ */
+ if (krb5_ccache != NULL) {
+ const char *error_string = NULL;
+ int rc;
+
+ rc = cli_credentials_set_ccache(creds,
+ lp_ctx,
+ krb5_ccache,
+ CRED_SPECIFIED,
+ &error_string);
+ SAFE_FREE(krb5_ccache);
+ if (rc != 0) {
+ fprintf(stderr,
+ "Error setting krb5 credentials cache: "
+ "'%s'"
+ " - %s\n",
+ krb5_ccache,
+ error_string);
+ exit(1);
+ }
+ }
+
if (cli_credentials_get_kerberos_state(creds) ==
CRED_USE_KERBEROS_REQUIRED)
{
@@ -1023,10 +1050,10 @@ static void
popt_common_credentials_callback(poptContext popt_ctx,
skip_password_callback = true;
}
}
- if (!skip_password_callback) {
- (void)cli_credentials_get_password_and_obtained(creds,
-
&password_obtained);
- }
+
+ (void)cli_credentials_get_password_and_obtained(
+ creds, &password_obtained);
+
if (!skip_password_callback &&
password_obtained < CRED_CALLBACK) {
ok = cli_credentials_set_cmdline_callbacks(creds);
@@ -1038,6 +1065,15 @@ static void popt_common_credentials_callback(poptContext
popt_ctx,
}
}
+ /*
+ * If the user specified a password on the command line always
+ * do a kinit!
+ */
+ if (password_obtained == CRED_SPECIFIED) {
+ cli_credentials_invalidate_ccache(creds,
+ CRED_SPECIFIED);
+ }
+
return;
}
@@ -1138,9 +1174,6 @@ static void popt_common_credentials_callback(poptContext
popt_ctx,
break;
}
case OPT_USE_KERBEROS_CCACHE: {
- const char *error_string = NULL;
- int rc;
-
if (arg == NULL) {
fprintf(stderr,
"Failed to parse --use-krb5-ccache=CCACHE: "
@@ -1148,30 +1181,31 @@ static void
popt_common_credentials_callback(poptContext popt_ctx,
exit(1);
}
- ok = cli_credentials_set_kerberos_state(creds,
-
CRED_USE_KERBEROS_REQUIRED,
- CRED_SPECIFIED);
- if (!ok) {
- fprintf(stderr,
- "Failed to set Kerberos state to %s!\n", arg);
- exit(1);
+ /*
+ * Remember the value and handle it in
+ * POPT_CALLBACK_REASON_POST.
+ */
+ if (arg[0] != '\0') {
+ krb5_ccache = strdup(arg);
+ if (krb5_ccache == NULL) {
+ fprintf(stderr, "Failed allocate memory\n");
+ exit(1);
+ }
}
- rc = cli_credentials_set_ccache(creds,
- lp_ctx,
- arg,
- CRED_SPECIFIED,
- &error_string);
- if (rc != 0) {
+ ok = cli_credentials_set_kerberos_state(
+ creds, CRED_USE_KERBEROS_REQUIRED, CRED_SPECIFIED);
+ if (!ok) {
fprintf(stderr,
- "Error reading krb5 credentials cache: '%s'"
- " - %s\n",
- arg,
- error_string);
+ "Failed to set Kerberos state to %s!\n",
+ arg);
exit(1);
}
- skip_password_callback = true;
+ /*
+ * The password callback will be skipped, if we have a valid
+ * ccache. This is handled in POPT_CALLBACK_REASON_POST.
+ */
break;
}
case OPT_USE_WINBIND_CCACHE:
diff --git a/testprogs/blackbox/test_client_kerberos.sh
b/testprogs/blackbox/test_client_kerberos.sh
index 54554ea3290..395b5bc989a 100755
--- a/testprogs/blackbox/test_client_kerberos.sh
+++ b/testprogs/blackbox/test_client_kerberos.sh
@@ -147,7 +147,7 @@ testit "test rpcclient kerberos" \
failed=$(expr $failed + 1)
cmd='echo ${PASSWORD} | $samba_rpcclient ncacn_np:${SERVER} -U${USERNAME}
--use-krb5-ccache=$KRB5CCNAME --configfile=${CONFIGURATION} -c getusername 2>&1'
-testit_expect_failure "test rpcclient kerberos interactive (negative test)" \
+testit "test rpcclient kerberos interactive" \
test_rpc_getusername ||
failed=$(expr $failed + 1)
--
Samba Shared Repository
